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1.  Introduction 

Some  of  the  most  difficult  to  find  bugs  in  systems  programs  arise  in  situations  of 
concurrent  access  to  data  structures.  Thus  the  need  for  a precise  understanding  of 
the  semantics  of  parallel  programs  is  clear.  The  attainment  of  a suitable  formal 
definition  of  parallel  program  semantics  will  allow  construction  of  automatic  verification 
tools.  These  should  help  to  eliminate  the  frustrating,  "irreproducible"  bugs  which 
usually  plague  an  operating  system. 

The  earliest  attempts  at  verifying  parallel  programs,  e.g.  [Habermann  72, 
Brinch  Hansen  72]  were  basically  informal  and  concerned  primarily  with  weak 
correctness.  [n°n  76]  describes  a semi-formal  approach  to  verifying  concurrently 
accessed  abstract  data  types  which  contain  path  expressions.  Hoare  [Hoare  7 A] 
gave  a formal  axiomatization  for  monitors.  These  latter  two  papers  take  a data- 
oriented  view  of  parallelism  which,  though  quite  reasonable  for  the  problems  treated, 
is  not  particularly  suited  for  proof  of  such  strong  correctness  properties  as  safety 
from  blocking  and  deadlock.  By  data-oriented  we  mean  with  regard  only  to  concurrent 
access  to  data  structures,  independent  of  the  control  structures  of  the  actual 
processes. 

The  approach  of  Owicki  and  Gries  [Owicki  76]  is  a process-oriented  extension 
of  Hoare's  axiom  system  for  sequential  programs  [Hoare  69]  - close  attention  is  paid 
to  the  form  of  the  actual  processes.  Our  goals  are  closely  related  to  those  of  Owicki 
and  Gries,  although  our  approach  is  quite  different.  There  have  seen  similar 
approaches,  notably  [Keller  76,  Lamsveerde  76].  The  work  presented  here  is  an 
outgrowth  of  some  ideas  discussed  in  [Flon  77], 
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We  shall  begin  by  using  Dijkstra’s  predicate  transformers,  primarily  the  concept 
of  weakest  pre-condition,  to  describe  the  semantics  of  nondeterministic  programs 
which  differ  from  Dijkstra’s  [Dijkstra  76]  in  that  they  are  not  necessarily  required  to 
terminate.  In  particular  we  will  discuss  the  weak  correctness  of  such  nondeterministic 
programs,  along  with  the  strong  correctness  issues  of  blocking,  deadlock,  and 
starvation. 

I Subsequently  we  discuss  the  relationship  between  nondeterminism  and 

parallelism.  We  show  how  parallel  programs  can  be  effectively  transformed  into 
nondeterministic  programs,  so  that  the  results  obtained  for  nondeterministic  programs 
can  be  indirectly  used  to  verify  parallel  programs.  Several  examples  are  treated, 

including  the  problem  of  the  Five  Dining  Philosophers,  which  relies  on  a 

I 

synchronization  primitive,  and  an  old  Mutual  Exclusion  scheme  which  relies  only  on  the 
indivisibility  of  access  to  memory. 

2.  The  Nondeterministic  Command  Rep 

Dijkstra  [Dijkstra  76]  describes  the  semantics  of  the  repetitive  guarded 
command,  written 

— II  ||  . . ,Bn->Sn  od 

in  terms  of  the  weakest  (i.e.  necessary  and  sufficient)  pre-condition  to  the  command 
which  guarantees  termination  with  a given  post-condition.  The  intent  of  DO  is  that  the 
guards  Bj  are  evaluated,  a true  one  is  chosen  (nondeterministically),  and  its 
corresponding  statement  $j  is  executed.  The  process  is  continued  until  no  Bj  is  true, 
at  which  point  DO  terminates.  Formally, 
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wp(DO,  R)  - (3k*0)Hk(R) 

Hq(R)  - R a -(3j<  l..n)Bj 

Hk+i(R)  - (3j<l..n)Bj  a (VjU..n)(Bj  -»  wpfSj,  Hk(R))) 
where  Hk(R)  gives  the  weakest  pre-condition  which  assures  that  R will  be  established 
and  the  loop  will  terminate  in  at  most  k steps.  We  define  for  our  purposes  a similar 
command,  REP,  denoted 

CSfi.  ||  B2~»S2  II  . • -Bn-»Sn  £§£. 

REP  has  similar  behavior  to  DO,  with  the  exception  that  REP  will  not  terminate  unless 
the  command  "exit"  is  executed.  Thus,  if  no  guard  evaluates  to  true,  REP  will  "hang"  - 
i.e.  it  will  not  terminate.  If  there  is  in  general  no  final  state,  how  are  we  to  define  the 
semantics  of  REP? 

3.  Weak  Correctness 

3.1  Invariance 

One  way  to  represent  the  weak  correctness  of  REP  is  in  terms  of  a set  of 
assertions  {Pj  | lsj<n},  where  n is  the  number  of  guards  and  Pj  is  guaranteed  to  hold 
whenever  Sj  is  executable.  That  is,  a selection  is  about  to  be  made  from  among  the 
guards  and  Bj  is  true.  If  we  denote  the  fact  that  P must  always  hold  whenever  Bj 
evaluates  to  true  as  u/fpj(REP,  P),  we  have 
wlpj(REP,  P)  - (Vk>0)W^(P) 

W^P)  - Bj-»P 

WLl(P)  " <Vi<l-nXBj  + wlp<Sj,  W^P») 
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W^(P)  is  the  weakest  condition  which  guarantees  Bj**P  after  exactly  k statements  have 
been  executed,  if  it  is  possible  to  execute  that  many.  The  predicate  u/Lp{ S,  R)  is 
Dijkstra’s  weakest  liberal  pre-condition,  and  is  equivalent  to  wp  without  requiring 
termination. 

As  an  example,  consider 
rep 

1-0  -»  x*-x/2j  jf  odd(x)  then  l«-l  else  skip  f[  || 

1-1  -*  x<-x-l 

per 

Let  Pj  be  even(x)  and  P2  be  odd(x).  Then  by  the  above  recurrence, 
wlpj(REP,  even(x))  - (1=0  =*  even(x)) 
wlp2(REP,odd(x))  - (1=1  =»  odd(x)) 

3.2  Potentiality 

Let  us  also  consider  the  question  of  whether  or  not  a given  guard  can  ever  (has 
the  potential  to)  evaluate  to  true.  That  is,  what  is  the  weakest  pre-condition  to  REP 
that  guarantees  the  existence  of  a finite  execution  sequence  which  leads  to  the  truth 
of  Bj?  Let 

u/pot(REP,  P)  - (3k^0)Vk(P) 

VQ(P)  - P 

Vk+1(P)  - C3j< l..n)(Bj  a wp(Sj,  Vk(P»> 

Then  wpot( REP,  Bj)  is  the  desired  weakest  pre-condition.  In  the  above  recurrence, 
Vk(P>  gives  the  weakest  pre-condition  that  guarantees  the  existence  of  a length-k 
execution  sequence  which  establishes  P. 

For  example,  if  REP  is 

rep  A -*  x«-0  ||  B -»  x«-l  ||  x = l -»  x«-x+l  per 
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then  guard  3 (x-1)  has  the  potential  to  become  true  iff  wpotlREP,  x-1),  which 
evaluates  to  (x-1  v B),  is  true  at  entry. 


4.  Strong  Correctness 


4.1  Blocking 

Neither  u/Zpj  nor  u/pot  is  sufficient  to  guarantee  that  REP  will  do  anything  useful. 
For-  example,  it  may  be  that  eventually  no  guards  will  be  true  and  the  command  will 
"hang".  We  shall  say  that  REP  is  blocked  if  such  a state  is  reached,  and  is  blocking-free 
such  state  can  possibly  be  reached.  The  weakest  pre-condition  that  guarantees 
dt  REP  is  blocking-free  is 

wbp(REP)  - (Vk>0)Gk 
Gq  - true 

Gk+1  - (3j<l..n)Bj  a (Vj«l..n)(Bj  -»  wpfSj,  Gk)) 

Here,  Gk  is  the  weakest  pre-condition  that  guarantees  at  least  a length-k  execution 
sequence.  For  example,  if  REP  is 

rep  x>y  -»  x«-x-y  ||  y>x  -*  y«-y-x  per 
then  by  the  above  recurrence 

wbp(REP)  - xr»y  A (x<0  v y<0) 


4.2  Deadlock 

Deadlock  in  a system  of  parallel  processes  is  defined  in  [Holt  72]  as  a state  in 
which  "one  or  more  processes  are  blocked  forever  because  of  requirements  that  can 
never  be  satisfied."  We  will  call  a nondeterministic  program  deadlocked  if  it  reaches  a 
state  from  which,  for  any  guard,  there  is  no  possible  execution  sequence  which  will 
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lead  to  its  truth.  A deadlock-free  program  is  one  in  which  it  is  not  possible  to  reach  a 
deadlock  state. 

i 

Consider  the  predicate  wpot(REP,  Bj)  for  some  REP  command.  That  predicate 
gives  the  weakest  pre-condition  that  guarantees  the  existence  of  an  execution 
sequence  which  leads  to  the  truth  of  guard  j.  Suppose  u/pot(REP,  Bj)  is  always  true 
whenever  a guard  selection  is  made,  and  that  REP  is  blocking-free.  Then  REP  can 
never  reach  a deadlock  siate  with  respect  to  guard  j,  since  Bj  always  has  the  potential 
to  evaluate  to  true.  This  condition,  denoted  u/cfpj(REP)  is  precisely  defined  by 
wdpj(REP)  - wbp(REP)  a (Vk(  l..n)wlpk(REP,  wpot(REP,  Bj)) 

4.3  Starvation 

The  phenomenon  of  starvation  in  a system  of  parallel  processes  is  another 
strong  correctness  issue  that  we  must  consider  in  addition  to  blocking  and  deadlock. 
Dijkstra  [Dijkstra  71]  briefly  discusses  this  issue  with  respect  to  the  problem  of  the 
Five  Dining  Philosophers.  In  a nondeterministic  program,  we  say  that  a particular 
statement  may  starve  if  it  is  possible  for  the  program  to  reach  a state  in  which  the 
statement’s  guard  is  false,  and  state  transitions  which  leave  it  false  may  continue  to  be 
taken  indefinitely.  Thus  a given  guard  j is  starvation-free  if  it  is  not  possible  to  reach 
a state  from  which  there  is  an  execution  sequence  which  forever  maintains  -Bj.  Let 
this  condition  be  denoted  u/jpj(REP).  Then 

wspj(REP)  - wbp(REP)  A -wpot(REP,  IK-Bj)) 

U(R)  - (Vk>0)  Uk(R) 

Uq(R)  - R 

Uk+1(R)  - (3i( l..n)(Bj  a wp(Sj,  Uk(R)» 

Uk(R)  gives  the  weakest  pre-condition  which  assures  the  existence  of  a length-k 
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execution  sequence  during  which  R is  always  true.  U(R)  requires  that  there  be  an 
unbounded  execution  sequence  which  maintains  the  truth  of  R.  Thus  wspj(REP)  gives 
the  weakest  pre-condition  which  denies  the  possibility  of  reaching  a state  in  which 
U(-Bj)  holds. 

4 4 Invariants 

It  is  not  always  necessary  to  compute  all  of  the  stated  recurrences  in  the 
previous  sections  in  order  to  verify  a given  program.  The  following  theorems  follow 
from  the  previously  defined  recurrences: 

Theorem  1 

[<VM  a Bk  -»  wlp(SK,  J))]  a (J  * (Bj  -»  P)) 

V J -*  wlPj(REP,  P) 

That  is,  any  predicate  J which  is  invariant  across  each  statement  and  implies  (Bj=*P) 
will  suffice  to  guarantee  wlpj(REP,  P). 

Theorem  2 

[(VkU_n)(jf  a BK  -»  wp(Sk,  J )]  a (J  * (3k<l..n)Bk) 
h J -*  wbp(REP) 

Similarly,  an  invariant  predicate  which  implies  the  existence  of  a true  guard  must  be 
sufficient  to  guarantee  absence  of  blocking. 

Theorem  3 

[(Vk<  l..nK^  a Bk  ->  wp(Sk,  J)]  a (J  -»  (3ktl..n)Bk)  a {J  =»  wpot(REP,  Bj)) 

V J <+  wdpj(REP) 

Any  invariant  predicate  which  implies  both  safety  from  blocking  and  the  potential  for 
Bj  to  be  established  must  guarantee  guard  j to  be  safe  from  deadlock. 
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Theorem  4 

[<Vk«l..n)(,;  a Bk  -»  wp(SK,  J)]  A (J  + (3k<l..n)Bk)  a {J  * ^J(-Bj)) 

K J -*  wspj(REP) 

If  an  invariant  predicate  implies  that  no  unbounded  execution  sequence  exists  which 
keeps  Bj  false,  then  guard  j must  be  free  from  starvation. 

4.5  Example 

Consider  the  command 
rep 

x>0  A y<n  -»  x«-x-l;  y*-y  + l || 
y>0  a z<n  ->  y*-y-l;  z«-z  + l || 
z>0  A w<n  -»  z«-z-l;  w<-w  + l || 
w>0  A x<n  -»  w«-w-l;  x«-x  + l 

per 

Let  J be 

0<x<n  a 0<y<n  A 0<z<n  a 0<w<n  a 0<x+y+z+w<4n 
We  will  show  that  if  J is  true  at  entry,  the  command  is  safe  from  blocking.  By 
Theorem  2,  J * wbp(REP)  because 

1)  3 A Bj  =*  wp(Sj,  J) 

0<xSn  a 0<y<n  a 0<z<n  a 0<w<n 
-*  l<x<n+l  a -l<y<n-l  a 0<zSn  a 0<w<n  a 0<x+y+z+w<4n 

(the  others  follow  by  symmetry) 

2)  J •*  (3k«l..n)Bk 

0<x<n  a 0<y<n  a 0<z<n  a 0<w<n  a 0<x+y+z+w<4n 
=■*  (X>0  A y<n)  v (y>0  a z<n)  v (z>0  A w<n)  v (w>0  A x<n) 

5.  Reduction  of  parallel  programs  to  nondeterministic  programs 

We  have  seen  that  such  problems  as  weak  correctness,  blocking,  deadlock,  and 
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starvation  can  be  formalized  for  nondeterministic  programs.  These  results  can  be 
applied  to  parallel  programs  if  we  can  effectively  convert  parallel  programs  to 
equivalent  nondeterministic  programs.  Here  the  meaning  of  equivalence  is  that  for  any 
execution  sequence  of  one  program,  there  is  a corresponding  execution  sequence  of 
the  other  such  that  values  of  variables  in  the  parallel  program  have  the  same  history 
sequence.  (Note  that  we  will  have  to  introduce  program  counters  to  transform 
parallelism  to  nondeterminism,  so  they  are  only  equivalent  in  this  sense.)  For  a 
rigorous  treatment  of  models  of  parallel  computation  see  [Karp  69]. 

We  will  outline  a procedure  for  transforming  parallel  programs  made  up  of  the 
cobegin-coend  construct  with  conditional  critical  regions  for  synchronization 
[Brinch  Hansen  73].  The  sequential  parts  of  these  programs  consist  of  assignment, 
conditionals,  while-loops,  compounds,  and  sequencing.  We  will  use  the  notion  of 
effective  indivisibility  of  program  segments.  A segment  is  effectively  indivisible  if  the 
final  values  of  variables  are  always  determined  only  by  their  initial  values.  That  is, 
they  are  not  affected  by  the  other  processes.  For  example,  in  the  program 

cobegin  x«-x  + l //  x*-x+l  coend 

x*-x  + l is  not  indivisible  because  the  final  value  of  x may  be  either  1 or  2 more  than 
the  initial  value.  If  we  convert  the  program  to 

cobegin  c«-x;  x«-c+l  //  d«-x;  x«-d  + l coend 

then  each  assignment  is  indivisible.  The  conditional  critical  region  itself  is  by  definition 
effectively  indivisible,  so  the  program 

cobegin 

with  x when  true  do  x«-x  + l // 
with  x when  true  do  x«-x  + l 

coend 


is  in  indivisible  form. 
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We  first  convert  the  entire  parallel  program  to  indivisible  form  - that  is,  a 
program  in  which  every  assignment  statement  which  is  outside  of  a conditional  critical 
region  is  indivisible.  This  is  accomplished  by  introducing  variables  local  to  each 
process  as  in  the  previous  example.  Next,  each  statement  is  converted  as  follows: 

1)  cobeein  Pj  //...//  Pn  coend 

The  program  skeleton  is  converted  to 

Pl«-  • • Pp*-0; 
rep 

<guarded  commands  for  Pj>  || 

<guarded  commands  for  Pn>  || 
cj-mj  A . . .cn=*mn  -*  exit 

per 

Here,  <guarded  commands  for  Pj>  consists  of  a number  of  guarded  commands  of  the 
form 

<condition>  -»  <statement  list> 

and  mj  is  the  largest  value  of  Cj  assigned  in  <guarded  commands  for  Pj>.  The  "exit" 
command  is  introduced  to  provide  a means  for  termination. 

2)  Sequencing  of  the  form  Sji  . . .Sn 

Statement  lists  are  converted  to 
<guarded  command>  || 

<guarded  command>  || 

3)  Assignment  of  the  form  x«-e 

If  the  program  counter  for  the  previous  statement  is  n,  this  is  transformed  to 
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Pj«n+1  -*  x*-e;  pj«-n+2 

4)  Conditionals  of  the  form  if  B then  Sj  else  S2  fi. 

Let  kj  be  the  number  of  different  values  of  the  program  counter  resulting  from 
the  transformation  of  S j , and  1^  be  the  same  for  $2*  If  n is  the  program  counter  for 
ihe  previous  statement,  the  conditional  is  transformed  to 
Pj-n+1  AB-*  Pj+-n+2  || 

Pj-n+1  a -B  -»  pj*-n+kj+2  || 

Pj-n+2  . . . 

<guarded  commands  for  Sj> 

Pj«n+1 +kj  . . . 

Pj-n+2+k  j . . . 

<guarded  commands  for  $2> 

Pj-n+l+kj+k2  . . . 

?*}  Loops  of  the  form  while  B do  S od 

Let  k be  the  number  of  different  values  of  the  program  counter  which  result 
from  converting  S.  If  n is  the  previous  program  counter, 

Pj-n+1  aB-*  Pj«-n+2  || 

Pj«n>l  a -B  -»  pj«-n+2+k 
Pj-n+2  . . . 

<guarded  commands  for  S> 

Pj-n+1 +k  . . . 
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6.  Application 

Even  though  by  conversion  to  nondeterminism  we  have  obtained  formal 
definitions  for  the  various  correctness  issues  associated  with  parallel  programs,  the 
question  remains  as  to  whether  this  approach  is  practical.  In  this  section  we  shall 
treat  various  examples  to  show  the  power  of  our  method.  The  approach  of  Owicki 
[Owicki  75]  is  both  practical  and  highly  dissimilar  to  ours,  so  by  way  of  comparison 
some  of  the  examples  we  discuss  have  been  previously  handled  by  her  method. 

6.1  Weak  correctness 

The  following  example  appears  in  [Owicki  75],  where  its  weak  correctness 
cannot  be  proved  without  the  addition  of  auxiliary  variables.  The  discovery  of  the 
right  set  of  auxiliary  variables  (in  general)  requires  much  intellectual  effort. 

cobegin 

with  x when  true  do  x*-x+l  // 
with  x when  true  do  x*-x  + l 

coend 

The  transformation  to  a nondeterministic  program  also  introduces  auxiliary  variables 
(program  counters),  but  in  a uniform  manner.  Even  though  some  of  the  program 
counters  may  be  superfluous,  we  remove  the  burden  of  inventing  auxiliary  variables 
and  the  corresponding  operations  upon  them.  The  nondeterministic  version  is 

Pl*-P2*-0» 

rep 

pj-0  -*  x*-x+l;  pj«-l  || 

P2“0  -»  x«-x+ls  P2*-l  II 
Pj-1  a p2-l  -*  exit 

per 

It  is  easily  seen  that  the  weak  correctness  invariant  is  x«Xq+p1+P2»  where  xq  is  the 
initial  value  of  x.  Since  pj-1  a p2»l  at  the  exit,  the  program  will  establish  x-xq+2. 
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S.2  Mutual  exclusion 

We  consider  a solution  to  a mutual  exclusion  problem  discussed  by  Dijkstra  in 
1965  [Dijkstra  65].  Two  processes  A and  B have  critical  sections  which  must  be 
excluded  from  one  another.  No  synchronization  primitive  other  than  the  indivisibility 
of  a single  access  to  memory  is  allowed.  The  following  solution  is  discussed  in 
[Flon  77]: 

var  inA,  inB:  boolean  initially  false, 
prty:  (A,B)  initially  A; 


processA:  while  true  do 
<think> 
inA*-true; 
while  inB  do 

jf.  prty-B  then 
inA«-false; 

while  prty-B  do  skip  od; 
inA«-true 
11 

od; 

<critical  section> 
inA«-false; 
prty*-B 
od 


processB:  while  true  do 
<think> 
inBMrue; 
while  inA  do 

if  prty -A  then 
inB«-false; 

while  prty-A  do  skip  od; 

inB«-true 

11 

od; 

<cr itical  section> 
inB*-false; 
prty«-A 
od 


The  nondeterministic  version  of  this  parallel  system  is 
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pl«-p2«-lj  inA*-inB«-false;  prty*-A; 
rep 

pl-1  -*  inA«-true;  pl«-2  || 

pl-2  a inB  -*  pl*-3  || 

pl-3  a prty-B  -*  inA«-false;  pl«-4  || 

pl-4  A prty«B  -»  skip  || 

pl-4  a prty^B  -»  inA«-true;  pl«-2  || 

pl-3  a prty-B  ->  pl«-2  || 

pi -2  A -inB  -»  <critical  section>;  pl«-5  || 

pl«5  -*  inA«-false;  pl«-6  || 

pl-6  -»  prty«-B;  p 1 *- 1 || 

p2-l  -*  inB«-true;  p2<-2  || 

p2-2  a inA  -*  p2*-3  || 

p2«3  a prty-A  -»  inB«-false;  p2<-4  || 

p2-4  a prty-A  -»  skip  || 

p2-4  a prty^A  -*  inB«-true;  p2«-2  || 

p2-3  a prty-A  -*  p2*-2  || 

p2-2  A -inA  -*  <critical  section>;  p2«-5  |J 

p2-5  -»  inB<-false;  p2«-6  || 

p2-6  -*  prty«-A;  p2«-l  || 

per 

To  show  that  the  critical  sections  cannot  both  be  active  at  the  same  time,  it 
suffices  to  prove  that  the  guards  which  reflect  entry  to  the  critical  sections  cannot 
both  be  true  at  the  same  time.  Thus, 

(pi -2  a -inB)  a (p2«2  a -inA) 
must  be  invariantly  false.  Consider  the  predicate 

L - (pl-3  inA)  A (p2-3  inB)  A [(pl-2  *♦  inA)  v (p2«2  ■*  inB)] 

(The  last  conjunct  is  the  negation  of  the  previous  formula.)  L is  invariant  across  all  of 
the  commands,  and 


L ^ -(pl-2  a -inB)  v -(p2-2  a -inA) 

so  clearly  the  critical  sections  cannot  be  active  simultaneously.  This  program  is  proved 
correct  in  [Flon  77],  using  an  extension  of  Owicki’s  methodology,  but  auxiliary 
variables  are  needed  in  a non-trivial  way.  The  proof  presented  here  is  much  simpler. 
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6.3  Deadlock 

We  will  show  that  the  following  program  is  subject  to  deadlock: 

rl«-r2«-l; 

cobegin 

while  true  do 

with  r2  when  r2-l  do  r2«-r2-l  od; 
with  rl  when  r 1-1  do  rl*-rl-l  od: 
with  rl,r2  when  true  do  rl«-r2«rl  od 

od  // 

while  true  do 

with  rl  when  r 1 — 1 do  rl«-rl-l  od: 
with  r2  when  r2-l  do  r2«-r2-l  od: 
with  rl,r2  when  true  do  rl*-r2*-l  od 

od  // 

while  true  do  skip  od 


coend 

The  nondeterministic  version  is 

rl«-r2*-l;  pl«-p2«-p3*-0; 
rep 

pi “0  a rl-1  -»  r 1 «-r  1 - 1 ; pl«-l  || 
pl-lAr2-l  -»  r2«-r2-l;  pl«-2  || 
pl-2  -*  rl«-r2«-l;  pl«-0  || 
p2-0  a r2-l  -*  r2«-r2-l;  p2*-l  || 
p2-l  A rl-1  -*  rl«-rl-lj  p2*-2  |j 
p2-2  -►  rl«-r2«-l;  p2*-0  || 
p3-0  -»  skip 

per 

We  can  establish  the  possibility  of  deadlock  by  finding  an  invariant  J which  implies  --Bj 
for  some  j,  and  then  showing  that  there  is  a way  to  arrive  at  J.  The  latter  property  is 
expressed  by 


For  the  above  program 


wpot(REP,  J) 


pl-1  A r2-0  A p2-l  A rl-0 

is  an  invariant.  It  is  also  possible  to  achieve  this  by  first  executing  command  1 and 
then  command  4.  That  is, 
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Bj  a wlpfSj,  a wlp(S/j,  J )) 

which  evaluates  to 

rl-1  a r 2-1  a pl-0  a p2-0 

which  is  established  by  the  initialization.  Furthermore,  j prevents  all  but  the  last 
guard  from  running,  so  the  original  parallel  program  may  deadlock. 


6.4  Starvation 

In  this  section  we  treat  the  problem  of  the  Five  Dining  Philosophers 

[Dijkstra  71],  The  following  parallel  program  is  a solution  to  the  problem  which  is 

known  to  have  the  possibility  of  starvation: 

f 0«— f l*-f2*-f3«-f4«-lj 
cobegin 

philosopher  1: 

while  true  do 

with  fO,f  1 when  iO-1  A fl-1  do  f0«-fl«-0  od; 

“eat"; 

with  fO,fl  when  true  do  <0«-f  1«-1  od 

ed// 


philosopher  5: 

while  true  do 

with  f4,f0  when  f4-l  a fO-1  do  f4«-f0*-0  od; 

"eat"; 

with  f4,f0  when  true  do  f 4*-f 0*- 1 od 
od 

coend 

Below  is  the  corresponding  nondeterministic  program.  It  is  evident  that  the  program 
does  not  terminate,  so  we  have  deleted  the  superfluous  exit  statement. 
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pl«-p2«-p3<-p4*-p5*-0; 

rep 

pl-0  a fO-1  a fl-1  -*  f0«-fl«-0;  pl«-l  || 
pi-1  -»  fO«-fl«-l;  pl«-0  || 

p2-0  a fl-1  a f2-l  -»  fl*-f2«-0;  p2«-l  || 
p2-l  -*  fl*-f2«-l;  p2<-0  || 

p3-0  a f2-l  a f3-l  ->  f2«-<3<-0;  p3«-l  || 
p3-l  -»  f2<-f3«-l;  p3«-0  || 

p4-0  a (3-1  a f4-l  -♦  f3«-f4«-0;  p4«-l  || 
p4-l  ->  f3*-f4«-l;  p4<-0  || 

p5-0  A f4«l  A (0-1  -»  f4«-f0«-0;  p5«-l  || 
p5-l  -»  f4«-f0«-l;  p5«-0  || 

per 

To  prove  that  the  program  is  not  free  from  starvation,  we  will  use  the  following 
theorem: 

wpot(REP,  P)  a (P  ■»  wpot(REP,  Bj))  A [P  ■#  -Bj  A <3kU..nXBk  a wp(Sk,  P)] 

H -wspj(REP) 

The  theorem  states  that  REP  is  subject  to  starvation  whenever  it  is  possible  to  reach  a 

state  P,  from  which  it  is  both  possible  to  establish  Bj  and  possible  not  to. 

For  the  Dining  Philosophers  program,  let  P be 

(f4«0  A fO-0  A fl-0  a f2-0  a p5-l  a p 1 —0  A p2-l)  v 

(f4-l  a fO-1  a fl-0  a f2»0  a p5-0  a pl-0  a p2-l)  v 

(f4-0  a fO-0  a fl-1  a (2-1  a p5-l  a pl-0  a p2-0) 

Clearly  P -Bj.  Furthermore, 

P ■*  (3Ml..n)(Bk  a wp(Sk,  P)> 

because 

P ^ (Bg  A Wp(S3,  P))  V (B4  A wptS^,  P»  V (Bg  A Wp(Sg,  P))  V (Bjq  A WptSjQ.  P)) 

To  prove  that  the  state  P is  reachable,  we  must  show  wpoUREP,  P).  This  clearly  holds 


because  statement  3 may  be  executed  first,  and 

B3  a wp(S3,  P)  - p2-0  a pl-0  a p5-0  a «f4-l  a (0-1)  v (f4-0  a (0-0)) 
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is  implied  by  the  initialization.  Finally,  we  show  that  P **  wpot(REP,  Bj).  This  is 
guaranteed  by 

P (B^  a wpfSq,  Bj))  v <B10  a wp(S^o>  0i»  v A wpfS/j,  B10  a wp(S10.  BA ))) 
Thus,  there  is  a possibility  that  process  1 (and  by  symmetry  any  process)  may  starve. 

7.  Practical  considerations  for  program  verification 

Even  though  it  is  sometimes  possible  to  compute  the  weakest  pre-condition 
recurrences,  in  general  we  will  have  to  use  less  complex  techniques  if  parallel  program 
verification  is  to  be  practical.  If  we  can  discover  sufficiently  strong  invariants  for  the 
nondeterministic  programs,  we  can  use  the  theorems  of  section  4.4  to  verify  weak 
correctness,  safety  from  blocking,  and  safety  from  deadlock  rather  easily. 

Verification  of  safety  from  starvation  can  be  done  by  showing  that  starting  from 
a given  invariant,  all  possible  execution  sequences  must  arrive  at  a state  satisfying  the 
guard  in  question.  This  may  be  done  by  proving  safety  from  blocking  and  defining  an 
integer  function  of  the  program  state  which  is  bounded  from  below  and  which  is 
decreased  by  every  statement  other  than  the  one  in  question.  Following  is  an  example 
of  a proof  of  starvation-freeness. 

Consider  the  program 
rep 

x>0  a y<n  -*  x*-x-l;  y*-y+l  || 
y>0  a z<n  -*  y*-y-lj  z«-z+l  || 
z>0  a x<n  -»  z«-z-l;  x*-x  + l || 

per 

For  this  program,  a loop  invariant  which  guarantees  safety  from  blocking  is 

Osx<n  a 0<y<n  a 0<z<n  a 0<x+y+z<3n 

Since  all  three  statements  are  symmetric,  we  need  only  prove  absence  of  starvation 


19 


for  the  first  one.  To  do  that  we  will  show  that  it  is  not  possible  for  the  second  and 
the  third  processes  to  execute  continuously  without  eventually  making  the  first  guard 
true.  Suppose  the  program  is  in  a state  in  which  the  first  guard  is  false  - i.e.  x-0  v 
y-n.  Consider  the  state  function  W - 3y+2z+x.  W is  decreased  by  exactly  1 by  both 
the  second  and  third  statements.  When  x-n  a y-0,  W can  no  longer  decrease  and  the 
last  two  statements  cannot  execute,  guaranteeing  that  the  first  statement  will  execute. 

8.  Summary 

For  some  time  we  have  been  lacking  an  effective  formalism  for  parallel  program 
semantics.  The  approach  discussed  in  this  paper  was  motivated  by  two  observations  - 
the  the  important  correctness  issues  for  parallel  programs  have  counterparts  in 
nondeterministic  sequential  programs,  and  that  parallel  programs  can  be  effectively 
transformed  to  nondeterministic  ones.  We  have  therefore  presented  formal  definitions 
for  the  weakest  pre-conditions  which  guarantee  weak  correctness,  absence  of 
blocking,  absence  of  deadlock,  and  absence  of  starvation  for  nondeterministic 
programs,  along  with  a procedure  for  the  conversion  of  parallel  programs  to 
nondeterminism. 

As  a demonstration  of  the  usefulness  of  our  formalism  we  have  proved  various 
properties  of  several  programs,  including  a busy-wait  mutual  exclusion  scheme  and  the 
problem  of  the  Five  Dining  Philosophers.  It  remains  to  be  seen  to  what  degree  these 
techniques  will  apply  to  actual  operating  system  examples,  although  we  have  tried  to 
present  various  methods  which  reduce  the  burden  of  computation  in  exchange  for 
some  intellectual  creativity,  such  as  the  discovery  of  invariant  predicates  and 
monotonically  decreasing  state  functions. 
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